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Recovering CTF Addict — led 
"lollerskaterz dropping from 
roflcopters" with Beist, 
RPISEC, etc 



Professional security failure 
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DEFCON 



Research Motivation 



Which messengers do you use? 

Have they been audited by benevolent third parti 
on behalf of the vendors? 

• Or only your adversaries? 



Robert Morris 



(Harry Naltchayan/THE WASHINGTON POST) 



"Never 

underestimate the 
attention, risk, 
money and time 
that an opponent 
will put into 
reading traffic." 



The Messenaers 




Outline 



• What to analyze 

• Selected findings 

• Summary & Future 



What to analy 



Protocol — Data in motion 



Storage — Data at rest 
Content — Data with malice 



Desi 




http://charlespaolino.files.wordpress.com/201 0/1 0/tin-can-1 .jpg 



Authenticity 

Secrecy 

• Data& 
(Metadata?) 

Integrity 



Data In 



Adversary Characteristics 



Active 



Local 




Global 



Passive 



Data In Motion 



ine & Offline attacks 




Offline 



• Wrong algorithms 
(Public keys used as 
private) 

• Reused cipherstream 

• Key material leaked 
on wire 

• Searching the key 
space 



Samples 

Frequency & timing 
leaks data 

Insecure IV/nonces 
lead to dictionary 
attacks 

Reused nonces 
(ECDSA) 



Data In Motion 



Online Attack Samples 



• Downgrade 

• Replay 

• Brute force 

• Timing Sidechannel 
Attacks 

• Naive Diffie Hellman 
MITM 



• Chosen Ciphertext: 

• Bit flipping 
predictable 
cipherstream 

• CBC Padding Oracle 
• Chosen Plaintext : 

• BEAST, CRIME by 
Juliano & Thai 



Data In Motion 



Desirable Storage 

Properties 



Content encrypted 
at rest 

Passwords & keys 
protected 




Secure backup 

http://www.vh1.com/celebrity/bwe/images/2009/10/HEDGEHOG-EGG-3.jpg 



Data At Rest 



One time during defcon 

qualifiers... 




Data At Rest 



One time during defcon 

qualifiers... 



Where's Waldo? 

Things not part of the challenge: 

• Forensic investigator's Telephone No. & txts 

• Original owner's name, emails, password ... 



Data At 



iOS Data Protection 



Data Protection protects files with a device-unique 
hardware key wrapped with a user passcode 

• Requires passcode being set 

• Best data at rest security available on iOS 
Software only solutions would enable brute force 



Data At Rest 



iOS Backup Security 

iCIoud Keychain 

iCIoud & Computer backup 

<App>/Library/Private\ Documents/ won't be backed up 
<App>/Library/Documents/ will be 

• Unless NSURLIsExcludedFromBackupKey , etc 

https://developer.apple.com/library/ios/documentation/iPhone/ 
Conceptual/iPhoneOSProgrammingGuide/PerformanceTuning/ 
PerformanceTuning.html#//apple ref/doc/uid/TP40007072-CI-l8- 
SW9 

Data At Rest 



Content 



Spoofing & Social 
Engineering Attacks 

Memory trespass 
errors 

Web vulnerabilities 
(XSS, CSRF, etc) 

IPC Attack surface 



Inerabilities 




http://www.biography.eom/imported/images/Biography/images/Profiles/G/Rube-Goldberg-931 4372-1 -402.j pg 



Social Engineering Attacks 



• "Hey, weird, when I type in my password it shows 

Up do 

• Username spoofing (spaces, quotes, Unicode) 

• Fake logins 



Data with Malice 



Memory Trespass Errors 

Attacker goal is remote code execution 

Messengers have huge rich content & media attack 
surface 

• movie parsers, image parsers (image files, 
videos, etc) 

Messengers implement custom binary protocols 
PIE, ASLR a factor 

Data with Malice 



Web Vulnerabilities 



UlWebView 

• Javascript bridged objects 

XSS/HTML/CSS injection for code execution, Ul 
spoofing, etc 



Data with 



PC Attack Surface 



iOS has limited IPC 

• Bluetooth/iAP abused sometimes 
Custom URI handlers 

• Can be triggered from a website or activating a 
link 



Data with Malice 



Food for thought 



Can other running applications perform side 
channel attacks to steal private keys? 

• Probably ... unless the underlying cryptographic 
implementations were designed meticulously 
against side channels on ARM 



Data with Malice 



Misc 



What happens when a Sll\ 
A CA gets compromised? 



gets borrowed? 



The Messenger Apps 




Threema 




Threema 



• www.threema.ch 

• End-to-End encryption 

• Closed Source 

• Features text, image, video sharing, group chats, 
and phone calls 



Protocol summary 

HTTPS API 

• Pinned Threema HTTPS certificate 
NaCI based binary messaging protocol 

• NaCI employs Curve25519/SALSA20/Poly1305 

• Outer layer 

• Inner layer 

Data in 



Outer layer 



Ephemeral ECDH session established with 
centralized server 

Hardcoded public keys for centralized servers 

Pairwise nature of crypto_box usage ensures 
against replay MITMs of outer layer 



Data 



Inner layer 

Threema IDs, pseudonyms sent plaintext for routing 
by centralized service 

Messages from user to user sent encapsulated in 
ECDH between public identities 

Decrypted binary data contains text messages, 
group text chats, rich media links, etc. 

Group messages share rich content data with 
symmetric keys, shared across parties 

Data in Motion 



Forward Secrecy? 

"Threema provides forward secrecy on the 
network connection (not on the end-to-end 
layer). Client and server negotiate temporary 
random keys, which are only stored in RAM 
and replaced every time the app restarts (and 
at least once every 7 days). An attacker who 
has captured the network traffic will not be 
able to decrypt it even if he finds out the long- 
term secret key of the client or the server after 
the fact." 



Data in Motion 



Blob protocol 



• Rich media not sent inside of messages, 
retrieved via blob HTTPS API. 

• HTTPS api used to post and retrieve large, 
encrypted files 

• Encrypted end-to-end 



Data in Motion 



Data at Rest 



Messages stored in sqlite database 
Data protection in use 
• NSFileProtectionComplete 
Keychain used for secret keys 
Software pin-lock for sharing a phone 



Threema Application Attack 

Surface 

Binary messaging protocol inside of messages 
which come from other users 

Will automatically decrypt and process messages 
from unknown users 

Image Parsers, Videos, etc 

threema:// URI Handler 

QR Code reader 

Data With Malice 



Attack Findings 

Non-exploitable application crash on iOS 

• DoS with malicious message, Threema will crash 
on startup every time for 2-weeks until resend 
times out 

More TBD 

URI handler has limited attack surface 

• All actions require user approval 

Data With Malice 



Additional Threema 

concerns 

Third-party metrics software, Hockey SDK 

• Nice target for adversaries. Many birds with one 
stone 

• Leaks metadata 

• Non pinned certificate, communications can be 
hijacked 



LNE 



www.line.me 
Closed Source 

Features phone calls, video calls, text, image, 
video sharing, group chats, games, and much 
much more 



Transport security 

HTTPS APIs 

• No or limited certificate pinning 
Multiple custom binary protocols 

• RSA-1024, AES-128 CBC PCKS7, Fixed IV 

• Malleable, allows replay and bit fiddling 

• Decryption of message contents possible with 
interactive protocol attack 



Binary messaging protocol s 



SPDY, falls back to HTTP 

1. Client generates random AES key 

2. Client encrypts AES key with hardcoded 1024-bit 
RSA pub key and sends to server 

3. Server/client proceed to send AES-CBC-pkcs7 
messages with fixed IV, no Message Authentication 
Code 



Various messaging types, no further encryption 

Data in Motion 



Binary messaging protocols 



• legy: album, groupjiote, homeapi, music, 
myhome, note, scrap, talk, timeline, timeline_auth, 
logger 



Data in Motion 



Data at rest 



Message contents not protected with 
NSFileProtectionComplete 

Authentication keys in keychain 



Application Attack Surface 



• Binary TLV parser 

• Voice & Video calls 

• Image, video sharing 

• URI handlers + more 

• QR Codes 

• Themes, stickers, etc 



URI Handler 



i 



U M ^ 


MOV 


RO, #(sclRof lowcrcasoString - 0xE87D4) 


; sclRcf loworcasestring 


ADD 


RO, PC solRcf lowcrcasoString 




LDR 


R6, [RO] ; 1 owe rcaseSt ring 




MOV 


RO, R8 




MOV 


Rl, R6 




BLX . V) 


objc msgSond 




MOV 


R7, R7 




BLX.W 


_objc rctainAutorclcasodRcturnValuc 




MOV 


R4, RO 




MOV 


RO, #( sclRcf containsString_ - 0xE87F4) 


; sclRof containsString 


MOW) 


R2, #( : lower 16: (cfstr Kakao - 0xE87FA)) 


; "kakao" 


ADD 


RO, PC sclRcf containsString 




MOVT.W 


R2, #( :uppcrl6 : (cfstr Kakao - 0xE87FA)) 


; "kakao" 


ADD 


R2 , PC ; " kakao " 




LDR 


R5, [RO] ; "containsString:" 




MOV 


RO, R4 




MOV 


Rl, R5 




BLX. V) 


objc msgSond 




TST.W 


RO, IOxFF 




BEQ 


loc E8810 





Smashing the heap in Li 



• Binary protocol: remote, heap buffer overflow 
• Reachable via plaintext by active attackers 



Recommendations 

Pin certificates 
Redesign binary protocol 

• Needs at least RSA-2048 or preferably ECC 

• Messages need a MAC 

• Replay protection 

Employ iOS data protection to protect message 
contents 



KakaoTalk 



www.kakao.com 
Closed Source 

Features phone calls, video calls, text, image, 
video sharing, group chats, and much much more 



Protocol summary 



HTTPS used to retrieve Ul contents, registration, 
etc 

• No certificate pinning employed 

• Custom binary messaging protocol with 
RSA-1024 pkcsl + AES CBC w/ pkcs7, and a 
fixed IV: "locoforever" 



Data in 



Binary messaging protocol 

("Loco") 




1 . Client generates random AES key 

2. Client encrypts AES key with hardcoded 1024-bit 
RSA pub key and sends to server 

3. Server/client proceed to send AES-CBC-pkcs7 
messages with fixed IV, no Message Authentication 
Code 

Various messaging types, data in Binary JSON 
packet, no further encryption 




Data in Motion 



Demo time 



Data in Motion 



RSA encrypted 
session key 



8000000001000000010000002806dc3a56fb605c099c5d643e80a324b5d0942464d4e72bf4c9a2032f599c07b0973c9101f58b39619004893349667b2beb6151c3576ea67400 
5a8723040d3eea9f 1 8cd1 6331 0774658e1 756707af4fb1 d38f5c54491 78db45e1 056f7dbef9fc8fec937326830b80abad252ea443bea5998de26ac61 9f47b7396b2564f2f0bf5001 
0000d50917a00f47758a35371c5f5044dafb18267aa052e96247e9867edc468f02c6e4f74b9c6d879be41ed134df087bf44294c87d22f6dc590ca464e14787953b638a0f7b99874 
d445dbd391 81 bfe683025c4dfb81 35f46ff4854c1 e780dcb070bd43859c958a021 57969e36ad962b288d879bb4b1 b96e07cff203bb1 cb6580be02748a71 5a1 c67ac63a70ad43f 
45d99af2d007d322f0d52799860d66937b4f9cce554834e9fc3c0e56e1 df6df408a0ba54c62c24d52bc7741 d2c03d61 bb35f3bdf734967cef81 58ad8c1 768250081 62261 456f47c 
b1f3fecb6165e56418687aad9989fd601ab9327de367d657ad96d6d3ea72e27e03255ff75be9e3931ff2800a82347c52cc8e460ec438b9ff85f41c1b259e321 925432369581 547e 

b8a0c85e8e071 1 0834bee577bb4cd57ee82ac307f 1 cefd84053668b9c21 23b362e1 2a02f 1 a3901 7807c534edacb873c761 3d5958ad 



AES- Ciphertext 



e67d0e51 7c52d8569a2d7a6f538bb71 6cbb081 c3f 1 1 3b1 91 99c8f30da99b030fe3fc68d507b54e3fab509a9d0b0475ef67d21 64c9c5acdab05d4247ff 1 44fc1 6b89d2b1 1 be9338 
0d4a04440530ef78a81d99ddf4f15d84ac62b62d34dc8b46a51be308cd2fc825fbfc02f7ce296466ed70d7d2a4e94a49a5850cfe6915fb9d58ec4e47c5cab3af4b9200eb66c73d 
7ea0002c0d86ab77b7dd4872052f344e947a10c2b1f1608cbe82784a8a9498688632c5fb26634a04766dbdbf48ac5f28cd228bc52f9c6395cda50fc66bb5e3cb64da208c68934 
b45d866d 1 1 c9c0abd 1 Ce3029cad2f6cc8469d04546f087a35f 3e9306bda580f 1 22bd7 1 a32f 7cc3f 20376a64b 

3f728477f02bc0c46807fc7696d96c7578fb2d4a5bcb34ffc4e9281 c0d44051 63e802e5c301 59e5f8ccb8fdd4abc73655fbe792739f85c32b651 d36a2c7f6c91 d6930306cce92f6ef 
30f97b5890fb463a7a5f5558ad530fd296b2d1f876b2dcd56e1552dd7ea496ac70d0948e655dce1f1dd8cd231fcb2d1cb9ec27e17226599747a03a246e09661bbaf583d7872a4 
a9b25847849644c0fc1 38df77ffe3ffbd4bfe348ad25d08462a95221 984ea3f 1 46d08a75b1 6708e6cadbb226ce28cf094bdeb746521 270a990657281 75a69fd9afcf282467b90eb7 
f730681f12a7a46b9a52e0bd52c55f9761b2599f3842e79c632824d99b0db801fc43b0b1f3b5a13b823a27193b574ad4b5cde078ee8a4bc2428ed8e587d25472ee7aa390fbcef7 
ef 1 45b0ed8bb90784c4b6a88b1 77e78eabb821 b428ccd50e5221 7446ac8600232eb221 f 1 a75d583aad8434dc593902cba1 97abb05abd1 78eddf06bae7cc275432481 9b68990 
af0cfcaa066a9cb086dc019698e6f6ad14da0cbdb1a438303497847cd9d955dd5b2205c9c98fe0758382634172a7aa685611623f345232b2d9741394ed7896a755cb4f49f3849 
e5bec5f35392b51 bdcb68d9c57c9fc1 e6f665fc4cf67a1 98ef565cc75563e91 2e21 b73490a7ddf b3093d4c469c631 3551 aa91 87b061 41 75b92e8d035239cbb9d820c8d41 b69e8 
63c50de3821 8a4bf35ce0f4b261 a1 694e3b5ae9e0b92b51 61 ba708d4791 96c7bfa1 e992a21 1 937769d431 7b72aae3c1 a40c546e400c1 bf9961 39a21 82f2681 fa48f61 5264e1 fd5 
a889b9221 a76376d8cf24921 afbl 31 621 a21 fe1 c74f7461 f8f0da39db45254e44a9c7a4fbd7341 04d651 30c5a43661 df3b55fbd876f 1 ee4cc4603aa325444e2f6ff353951 93a72585 

0f674c60 



Decrypted message 



Plaintext 



'\x00\x00\x85\x03\x00\x00\x85\x03\x00\x00\x1 Otype\xOO' '\x01\xOO\xOO\xOO\x1 0msgld\x00\x95M%S\x08' 'noSeen 
\xOO\xOO\x02msg\xOOI\x03\x00 1 '\xOOAAAAAAAAAAAAAAA' 'AAAAAAAAAAAAAAAA' 'AAAAAAAAAAAAAAAA' 
'AAAAAAAAAAAAAAAA' 'AAAAAAAAAAAAAAAA' 'AAAAAAAAAAAAAAAA' 'AAAAAAAAAAAAAAAA' 
'AAAAAAAAAAAAAAAA' 'AAAAAAAAAAAAAAAA' 'AAAAAAAAAAAAAAAA' 'AAAAAAAAAAAAAAAA' 
'AAAAAAAAAAAAAAAA' 'AAAAAAAAAAAAAAAA' 'AAAAAAAAAAAAAAAA' 'AAAAAAAAAAAAAAAA' 
'AAAAAAAAAAAAAAAA' 'AAAAAAAAAAAAAAAA' 'AAAAAAAAAAAAAAAA' 'AAAAAAAAAAAAAAAA' 
'AAAAAAAAAAAAAAAA' 'AAAAAAAAAAAAAAAA' 'AAAAAAAAAAAAAAAA' 'AAAAAAAAAAAAAAAA' 
'AAAAAAAAAAAAAAAA' 'AAAAAAAAAAAAAAAA' 'AAAAAAAAAAAAAAAA' 'AAAAAAAAAAAAAAAA' 
'AAAAAAAAAAAAAAAA' 'AAAAAAAAAAAAAAAA' 'AAAAAAAAAAAAAAAA' 'AAAAAAAAAAAAAAAA' 
'AAAAAAAAAAAAAAAA' 'AAAAAAAAAAAAAAAA' 'AAAAAAAAAAAAAAAA' 'AAAAAAAAAAAAAAAA' 
'AAAAAAAAAAAAAAAA' 'AAAAAAAAAAAAAAAA' 'AAAAAAAAAAAAAAAA' 'AAAAAAAAAAAAAAAA' 
'AAAAAAAAAAAAAAAA' 'AAAAAAAAAAAAAAAA' 'AAAAAAAAAAAAAAAA' 'AAAAAAAAAAAAAAAA' 
'AAAAAAAAAAAAAAAA' 'AAAAAAAAAAAAAAAA' 'AAAAAAAAAAAAAAAA' 'AAAAAAAAAAAAAAAA' 
'AAAAAAAAAAAAAAAA' 'AAAAAAAAAAAAAAAA' 'AAAAAAAAAAAAAAAA' 'AAAAAAAAAAAAAAAA' 
'AAAAAAAAAAAAAAAA' ' AAAAAAAAA\xOO\x 1 2chatl' 'd\x00\x86\xd4\x87\x1 csD\x00\x00\x00\xc9C\x06\xaf7' 



Attack impact 



• Thanks to @odiumeh (jsc) for help with attack 

• Ability to decrypt messages: 

• sKey compromised 

• full message contents compromised 



Data in Motion 



;age & Content 
protection 



Custom software encryption scheme. Not analyzed 
fully but susceptible to reverse engineering attacks. 

Should employ Data Protection on iOS 



Data at rest 



Skey storage 



Identity key stored in a plist file, 

• Not protected by data protection 

• Available in plaintext from non encrypted 
backups 

• Should use keychain instead 



Application Attack Surface 

• Binary JSON protocol 

• Voice & Video calls 

• Image, video sharing 

• Kakao URI handlers + more 

• QR Codes 

• Themes 



Recommendations 

Pin certificates 
Redesign binary protocol 

• Needs at least RSA-2048 and preferably ECC 

• Messages need a MAC 

• Need replay protection 

Employ iOS data protection to protect lost devices & 
backups 



Summary 



Three messengers 

Mixture of HTTPS APIs & Binary Protocols 

Various degrees of fail 

Many features, huge attack surface 



Main takeaways 

RSA- 1024 — bad 

CBC without MAC — very bad 

• Online attacks with replay allow total compromise of 
secrecy 

Certificate pinning — good 

Platform data security features — good 

Transport Privacy != End-to-End Privacy 



Looking into the future 

End-to-end with forward secrecy and metadata protection 

• Axolotl Ratchet by Trevor P & Moxie M 

• https://github.com/trevp/axolotl/wiki 

• TBD: TextSecure 

Metadata protection against Global adversaries 

• Onion routing? 

• Unsolved problem? 



• Thank you CodeGate 

• @beist, rebel, @odiumeh, @julianor & Thaidn 

• greets to the CTF teams 



Extended content: 
Reversing iOS Apps 



Dump application & reverse statically 

Dynamic analysis 

Sniff network communications 



Dumping Decrypted 

Applications 

• iOS applications are encrypted 

• and subsequently decrypted at execution time 

• dumpdecrypted by @i0n1c 



Static Analysis 

• IDA Pro 

• https://www.hex-rays.com/products/ida/ 

• radare 

• http://radare.org/yZ 



Dynamic Tracing Tools 



lldb||gdb w/ python bindings 

mobilesubstrate - http://iphonedevwiki.net/ 
index.php/MobileSubstrate 

introspy - https://github.com/iSECPartners/lntrospy- 
iOS 

snoopit - https://code.google.eom/p/snoop-it/ 



Sniffing Network 
Communications 

HTTP Proxy (Charles, etc) 
Remote Virtual Interface 

• https://developer.apple.com/library/mac/qa/qa1 176/ index. html#//apple ref/doc/ 
uid/DTS1 0001 707-CH1 -SECIOSPACKETTRACING 



Sniffing SSL 
Communications 



(1) goto fail; 

• Certificate pinning :-) 

(2) Installing a CA in the system trust 

(3) Hook certificate verification 



